We have recently been witnessing an ever-increasing number of data privacy and security breaches across many industries. API security breaches and open API are now on the radar.
- Facebook has freely let slip the most sensitive information from 83 million of its accounts that ended up in the hands of lobby groups.
- The US Target retailer was hacked 110 million customer accounts;
- The American company Equifax has been hacked the data of 143 million Americans, meaning that the hackers are in possession of information on the wealth of almost every American household, and have sufficient information to allow them to steal identities.
What will be the future of an Open API in the context of increasing data breaches?
As a reminder, an Open API, also called as a Public API, is an Application Programming Interface that allows the owner of a network-accessible service to give universal access to consumers of that service, such as developers. An Open API is the tip of the iceberg because it is the most visible one and is used to communicate beyond the boundaries of the company. Open APIs are usually exposed into a public API developer portal that developers can access in a self-service mode. Software companies, for example, publish a series of APIs to encourage third-party developers in vertical industries to enable the innovation and find new ways to better leverage business applications by improving data exchanges between different systems.
A few days ago, in the aftermath of the Cambridge Analytica scandal, Facebook decided to restrict access to their APIs, leaving many third-party apps stranded, including some powerful ones such as Tinder.
In a blog post just published, the CTO of Facebook has decided to restrict access to some of the most used APIs, in the hope to better protect personal information of its millions of users, and promising further changes in the few months to come. Most notable restrictions include:
- Events API: apps using the API will no longer be able to access the guest list or posts on the event wall.
- Groups API: all third-party apps using the Groups API will need approval from Facebook and an admin to ensure they benefit the group.
- Pages API: all future access to the Pages API will need to be approved by Facebook.
- Facebook Login: Facebook will from now on need to approve all apps that request access to information such as check-ins, likes, photos, posts, videos, events and groups.
- Instagram Platform API: The deprecation of the Instagram Platform API is now effective.
Add to this: restrictions and modifications to Search and Account Recovery, Call and Text history and the total shutdown of Data Providers and Partner Categories that lets third-party data providers offer their targeting directly on Facebook.
What Facebook has decided to apply to itself will certainly be followed by many small and large institutions.
How GDPR will impact an Open API initiative?
In Europe, the stringent data protection regulation (GDPR), which will come into enforcement in May 2018, this puts even higher barriers on Open API, albeit indirectly.
The GDPR clearly states that the data owner is responsible for its first as well as its second tier subcontractors for what they do when accessing and manipulating the data. This could imply any IT systems or apps that use the owners data APIs. And this is not limited only to Europe’s geography, all European organizations will have to comply no matter where they operate in the world. All non-European organizations working with Europe will also have to comply.
Will this mean that the unrestricted promotion and publication of Open API will be seriously damaged?
I believe so. The GDPR, according to its article 7 and article 21, already implies that companies might well need a double opt-in from customers before they can use their profile information for marketing purposes. GDPR also means, according to its article 5, that AI algorithm development might seriously be hindered by the lack of availability of data for deep learning to function. It is therefore extremely likely that Open APIs will be impacted, in the same way GDPR and data privacy concerns will impact other data access and manipulation practices.
Click here to learn more about GDPR.